CyberWire Daily - Cloudbleed and what it means to you. Ransomware updates. News from the Moscow treason trials. Coachella Festival breached.
Episode Date: February 27, 2017In today's podcast, we hear how Cloudflare suffered from Cloudbleed. The bug's now swatted, but it will take a lot of people some time to clear up their passwords. Spora ransomware's customer service ...gives lousy service. TrumpLocker ransomware's just VenusLocker poaching some brand equity. Pen testers say they can break into most networks in under twelve hours. FBI asked again how it gained access to the San Bernardino jihadist's iPhone. Update on the Moscow treason trials. The University of Maryland Center for Health and Homeland Security's Ben Yelin describes some unintended consequences from a Trump executive order. Headed to Coachella? Hang onto your passwords. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cloudflare suffers from cloud bleed.
The bug's now swatted, but it will take a lot of people some time to clear up their passwords.
Sporo Ransomware's customer service gives lousy service.
Trump Locker Ransomware's just Venus Locker poaching some brand equity.
Pen testers say they can break into most networks in under 12 hours.
The FBI gets asked again how it gained access to the San Bernardino jihadists' iPhone.
There's an update on the Moscow treason trials.
Are you headed to Coachella?
Hang on to your passwords.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, February 27, 2017.
Late last Thursday, Google's Project Zero disclosed that CloudFlare was leaking sensitive
information online.
Cloudflare is a major provider of a content delivery network,
internet security services, and distributed domain name server services.
The company has patched the memory leak bug responsible, the flaws being called Cloudbleed,
and stresses that the problem with its caching infrastructure
affected a relatively small set of the websites that use their DNS services.
BitSight explains on its blog that CloudFlare's problems arose from an error in parsing logic
that could lead to a buffer overrun that would output uninitialized memory content onto affected
web pages.
The websites potentially affected by CloudBleed were those that had either email obfuscation,
server-side excludes, or automatic HTTPS rewrites enabled.
Since many popular services use Cloudflare, among them Uber, Fitbit, OkCupid, and Patreon,
and since data may have been leaking for some time,
many researchers are advising users to assume their credentials have been exposed,
and of course, to change them.
The case is a cautionary one.
It highlights the risk of third-party memory leaks.
A number of industry leaders have weighed in on the issue.
David Berman of CypherCloud points out that while most service providers support best practices for data in transit and data at rest,
there's still a gap for data in use.
We also heard from Kunal Anand,
one of Prevotis' co-founders. He noted that this story is unusual in that the search engines began
picking up the leaked information without realizing they were doing so. Quote,
reputable companies like Google are taking the extra step to purge their search caches for this
sensitive information. End quote. Anand urges the sites
and services affected by Cloudbleed to do API key and password resets across the board.
We hope, like Anand, that this doesn't give enterprises migrating to the cloud or to
infrastructure-as-a-service options too many headaches. Shuman Ghosemjumdor of Shape Security
pointed out that this is, quote,
one of the widest exposures of confidential and sensitive consumer data ever observed, end quote.
While it's unlikely that all of your passwords have been compromised, he says, quote,
the problem is that almost any one of your passwords on over 4 million websites could have been compromised,
so the safest course of action is to act as though all your passwords were compromised.
End quote.
This should also remind everyone of what a bad idea it is to reuse passwords.
Ransomware and DDoS remain fixtures of the threat landscape.
F-Secure describes the ruthlessness of Spora Ransomware's controllers.
The security company has been reading through transcripts of interactions between Spora's customer service and theomware's controllers. The security company has been reading through transcripts
of interactions between Spora's customer service and the ransomware's victims.
Whether you're pleading poverty or asking for sympathy because you just want your grandchildren's
pictures back, or even if you tried to pay but lost your Bitcoin because Spora's payment system
botched accounts receivable, the answer is the same, a mechanical refusal to consider a discount or even
show ordinary human understanding. But then this isn't surprising. There really aren't many
Robin Hoods or other honorable thieves out there in the criminal underground.
Those who've been following the ongoing Moscow treason trials will recall that Russian authorities
have been careful to insist that the defendants stand accused of having handed information not to the CIA proper, but to Americans.
Over the weekend, it's emerged what Americans those are thought to be.
At least one of the defendants, Ruslan Stoyanov, is accused of passing state secrets to U.S.
companies, notably to Verasign's iDefense cybercrime unit.
companies, notably to Verisign's iDefense cybercrime unit.
The accusations date back to 2010 and were leveled by the Russian online payment company Chronopay.
Chronopay says it's looking forward to cooperating with the prosecution.
Now that iPhone forensic and cracking shop Celebrite has revealed more of its available
services, the U.S. FBI is being asked again how it gained access to the San Bernardino jihadist iPhone
and how much it paid for any assistance.
Security firm Nuix has been surveying penetration testers.
Those are the good guys, white hats, who test systems for security
by attempting to break into them with the owner's permission.
Nuix concludes that a determined hacker can generally get into a network within 12 hours.
This sounds bad enough, but Lamar Bailey of Tripwire thinks the conclusion, if close read,
is marginally less alarming.
Bailey points out that most network intrusions still occur by exploiting known vulnerabilities
that have been left unpatched.
So his advice remains, pay attention to the basics.
Why make it easier on the attacker than necessary?
And you've heard of Trump Towers and any number of other places and products
associated with the eponymous 45th U.S. President.
Here's another one.
Trump Locker.
But the name is adventitious, if not deceptive.
Mr. Trump isn't involved.
And Trump Locker's not even new and
huge. It's just a thinly repacked version of the old Venus Locker ransomware.
Finally, headed for the Coachella Music Festival? We hear it's like Burning Man meets Bob Hope,
but admittedly it can be hard to hear from one shining sea to another, so perhaps we got it all wrong.
Anyway, we're sure it's a swell time, so enjoy it if you find yourself between the Joshua trees
and the Salton Sea in California's low desert. But there's a snake in the heavily irrigated garden,
isn't there always? In this case, the snake is one hacker going by the Slavic-themed name
Berkut. He or she or they is selling more than
950,000 user accounts for the popular music fest in the Tochka black market. Some of them
seem legitimate. So watch your credentials and consider paying cash for your flowered headdress.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.
Joining me once again is Ben Yellen.
He's the Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security.
Ben, a story came by from TechCrunch.
President Trump put in a hiring freeze across the federal government,
but that is going to affect cybersecurity, specifically some cybersecurity students.
Yeah, so there's this really great program. It's called the CyberCore Scholarship for Service,
and it allows students who have graduated with some technical degree to have some sort of loan
forgiveness if they take a job in the public sector.
The problem is that with this hiring freeze, there are not many jobs that are going to be hiring.
Only if there are some vacancies will the federal government be hiring people using the scholarship.
The way the scholarship works is that if you are not able to obtain a public sector job within a certain time
period after graduation, then you are liable to pay back those loans. So it's not just that we're
depriving the federal government of young talent in cybersecurity. And again, this is something
that President Trump himself has said is a critical issue. But we're forcing many of these
students who may have been relying on obtaining the scholarship and getting public sector employment to be massively in debt when
they come out of school. And I think it's a penny wise and pound foolish policy.
So is this a situation where, you know, some students had headed off to college and made
their plans based on this program, and now the rug is sort of being pulled out from under them?
I think that's exactly what's happening. Now, there are other opportunities that are not with
the federal government. The scholarship also allows people to get public sector jobs at
the state and local level. But, you know, the real bulk of government jobs relating to cybersecurity, because this is a national issue with national implications, are going to be federal jobs.
I mean, it's the federal government that has NIST.
It's the federal government that has the cybersecurity task forces.
And while there may be jobs available for many of these students in state and local governments,
we're still cutting off a major, major potential source of jobs for students who are relying on this program to go through school.
Yeah, the article points out that the National Security Agency, the NSA, has its own version of this program called the Stokes Educational Scholarship Program. And it's likely that that's exempted because of NSA's role in national security. But
so far, OPM hasn't really issued clear guidance on this.
Yeah, that's another problem is that there's this sort of vague exception to the general
federal hiring freeze for military and national security. But that leaves open a number of
questions. What counts as national security? As we've said, the president himself has declared
cybersecurity to be a, it certainly implicates national security. So does a program like the
one you discussed with the NSA qualify for that? I think there's not a lot of clarity. And that's
one of the problems with many of these executive orders so far is that the policies themselves
aren't supplanted with clear guidance to federal
agencies as to how they're going to be implemented. So it creates confusion and it can create real
heartache for students who are relying on these scholarships for gainful employment. And really,
all of us who want the federal government to be hiring the best and the brightest,
there's going to be a major talent drop-off because of this policy.
All right. Ben Yellen, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.